// In versions 1.10.x 'administrator' role would be allowed to access All resources
// by $acl->allow('administrator'); or $acl->allow('administrator', null);
// basically saying to allow Role 'administrator' to Access ALL Resources

Comments

I am experiencing this same issue, it is preventing me from upgrading to 1.11.0. Reverting as specified by Reporter above fixes it.

Posted by Philip Iezzi (iezzip) on 2010-11-11T09:10:44.000+0000

Same problem here, prevents me from upgrading to 1.11.0. I've got a default allow permission schema for a site with just 3 resources that need to be restricted.

// default permission is allow
$this->allow();

This won't give permission to any resource that is NOT defined as follows:

$this->add(new Zend_Acl_Resource('account'));

In 1.10.8 it worked as expected, gave permission to every other resource.
Thanks for fixing soon!

Posted by Ralph Schindler (ralph) on 2010-11-12T12:24:51.000+0000

I've uploaded a patch for this issue. It includes a unit test.

The problem is actually pretty interesting. The fix for ZF-9643 was at the time a good fix, but there is this use case (described in this issue) that was not covered by our existing unit tests. Regardless, this use case is indeed pretty common, so we need to find a way to ensure that all common use cases work.

In this solution, we actually need to handle (in setRule()) the special case of what happens when 'null' is passed in for resources. The concept of "all resources" is handled by a special "global" ruleset. This solution attempts to modify the global ruleset instead of iterating and applying a rule to all resources. Consequently, when removing rules globally, this patch iterates all resources to do a full "cleanup".

The solution provided is completely backwards compatible for as far as all the use cases described in old and the new unit tests.